whatsapp Data Exposed: Researchers Uncover Massive User Data Mapping

Despite end-to-end encryption, a new study reveals WhatsApp inadvertently exposed data on over 3.5 billion users, raising serious privacy concerns.

With over three billion daily active users, WhatsApp has cultivated a reputation as a secure interaction platform. Though, recent academic research demonstrates the app quietly revealed far more about it’s user base than many realized. A team of IT security researchers from the University of Vienna and SBA Research discovered a vulnerability allowing them to confirm the existence of WhatsApp accounts linked to phone numbers across nearly the entire globe.

Mapping the Global Network

From December 2024 through April 2025, the researchers tested billions of phone numbers, ultimately confirming more than 3.5 billion active accounts in 245 countries – a figure exceeding WhatsApp’s own publicly reported numbers. Crucially, the study found that messages themselves remained protected by end-to-end encryption.The vulnerability stemmed not from the content of communications, but from the ability to ascertain who was using the platform.

The researchers exploited a feature within WhatsApp designed to help users identify contacts already on the app. Instead of utilizing the official submission, they accessed WhatsApp’s system through an open-source client, granting them direct access. They developed a program called “libphonegen” to generate realistic phone numbers based on numbering plans from 245 countries, creating over 63 billion possibilities. By querying WhatsApp with a simple question – “Is this an account?” – they were able to map a notable portion of the world’s WhatsApp user base.

“Normally, a system shouldn’t respond to such a high number of requests in such a short time, particularly when originating from a single source,” explained lead author Gabriel Gegenhuber.

The study revealed widespread usage, even in countries with strict internet controls. Linked device usage was tripling. Even North Korea showed a small number of active accounts – five in total.

This finding highlights the risks faced by individuals in countries with restricted online access, where even proof of account ownership can have severe consequences. Millions of users openly shared deeply personal details in their profiles, including political opinions, religious symbols, and even facts linked to illicit activities.

The Danger of Faces and Flawed Encryption

The researchers downloaded 77 million images from U.S.-based accounts alone, with automated scans revealing that two-thirds contained clear human faces. This data could be used to build a reverse phone directory powered by facial recognition, potentially enabling malicious actors – including scammers, stalkers, and opposed governments – to easily identify and target individuals.

Moreover, the study uncovered concerning patterns in WhatsApp’s handling of encryption keys. Over 2.3 million keys were reused across nearly three million devices, and one public key was found to be associated with 20 U.S. numbers and possessed a private key consisting entirely of zeros. this suggests potential flaws in random number generation or even fraudulent activity, allowing bad actors to impersonate users or gain unauthorized access to accounts.

Old Data, Ongoing Risk

To assess the longevity of exposed data, the researchers tested numbers from a 2018 Facebook data scrape. They found that over 280 million of the 488 million numbers remained active on WhatsApp, demonstrating that compromised data can remain valuable to criminals for years. In some countries, nearly 40% of active numbers overlapped with the old leak.

A Flaw Addressed, But Lessons Remain

The researchers shared their findings with Meta, whatsapp’s parent company, prior to publication. The company confirmed the issue has been resolved. “We are grateful to the University of Vienna researchers for their responsible partnership,” said Nitin Gupta, vice president of engineering at whatsapp. “This collaboration successfully identified a novel enumeration technique that surpassed our intended limits. We had already been working on anti-scraping systems, and this study helped confirm their strength.”

However, as Gegenhuber emphasized, “These findings remind us that even mature, widely trusted systems can contain flaws with real world consequences. Security and privacy are not one time victories. they must be constantly tested.” The research serves as a stark reminder of the ongoing need for vigilance and proactive security measures in the face of evolving threats to digital privacy.